Product Documentation

Smart cards

Apr 27, 2015

Smart card authentication is supported within the guidelines described here.

Multiple smart cards and multiple readers can be used on the same user device, but if pass-through authentication is in use, only one smart card must be inserted when the user starts a virtual desktop or application. When a smart card is used within an application (for example, for digital signing or encryption functions), there might be additional prompts to insert a smart card or enter a PIN. This can occur if more than one smart card has been inserted at the same time. If users are prompted to insert a smart card when the smart card is already in the reader, they should select Cancel. If they are prompted for the PIN, they should enter the PIN again.

If you are using hosted applications running on Windows Server 2008 or 2008 R2 and with smart cards requiring the Microsoft Base Smart Card Cryptographic Service Provider, you might find that if a user runs a smart card transaction, all other users who use a smart card in the logon process are blocked. For further details and a hotfix for this issue, see http://support.microsoft.com/kb/949538.

Your organization might have specific security policies concerning the use of smart cards. These policies might, for example, state how smart cards are issued and how users should safeguard them. Some aspects of these policies might need to be reassessed in a XenApp or XenDesktop environment.

You can reset PINs using a card management system or vendor utility.

Smart card support also involves components available from Citrix partners. These are updated independently by the partners, and are not described in these documents. For more information, refer to the Citrix Ready program at http://www.citrix.com/ready/.

Requirements

Card reader support:
  • ZKA (Zentraler Kredit Ausschuss or Central Credit Committee) Class 1 contact card readers that comply with the USB Chip/Smart Card Interface Devices (CCID) specification are supported. These contain a slot or swipe into which the user inserts the smart card. Other classes, including Class 2 (readers with keypads for entering PINs) and contactless readers are not supported.
  • Virtual smart cards (Microsoft Windows Trusted Platform Module-based virtual smart cards) are supported on user devices with Receiver for Windows 4.3 and Windows 10 or 8. Versions of XenApp and XenDesktop earlier than 7.6 FP3 do not support virtual smart cards. For more information on virtual smart cards, see Virtual Smart Card Overview in the Microsoft Windows TechCenter.
  • Obtain a device driver for the smart card reader and install it on the user device. Many smart card readers can use the CCID device driver supplied by Microsoft.
  • Obtain a device driver and cryptographic service provider (CSP) software from your smart card vendor, and install them on both user devices and virtual desktops. The driver and CSP software must be compatible with XenApp and XenDesktop; check the vendor documentation for compatibility.

Important

Install the drivers and CSP software before installing any Citrix software on it.

  • Citrix recommends that you install and test the drivers on a physical computer before installing Citrix software.
  • For virtual desktops running Windows 7 using smart cards that support and use the mini driver model, smart card mini drivers should download automatically, but you can obtain them from http://catalog.update.microsoft.com or from your vendor. Additionally, if PKCS#11 middleware is required, obtain it from the card vendor.
Remote PC Access with smart cards:
  • Smart cards are supported only for remote access to physical office PCs running Windows 10, Windows 8 or Windows 7; smart cards are not supported for office PCs running Windows XP.
  • The following smart cards were tested with Remote PC Access: 
    • Gemalto .NET v2+ with the Gemalto .NET mini driver
    • NIST PIV cards with ActivIdentity ActivClient 6.2
    • NIST PIV cards with Microsoft mini driver
    • CAC cards with ActivIdentity ActivClient 6.2
    • Virtual Smart Cards with Microsoft native driver

User devices must run Citrix Receiver. appropriate middleware, and one of the following operating systems: Windows 7 or Windows 8 (including Embedded Edition), 32-bit and 64-bit.

Middleware:
  • Receiver smart card support is based on Microsoft Personal Computer/Smart Card (PC/SC) standard specifications. A minimum requirement is that smart cards and smart card devices must be supported by the underlying Windows operating system and must be approved by the Microsoft Windows Hardware Quality Labs (WHQL) be used on computers running qualifying Windows operating systems. See Microsoft documentation for additional information about hardware PC/SC compliance.
  • The following smart card and middleware combinations for Windows systems have been tested by Citrix as representative examples of their type. However, other smart cards and middleware can also be used. For more information about Citrix-compatible smart cards and middleware, see http://www.citrix.com/ready.
    Middleware Matching cards
    ActivClient 7.0 (DoD mode enabled) DoD CAC card
    ActivClient 7.0 in PIV mode NIST PIV card
    Microsoft mini driver NIST PIV card
    GemAlto Mini Driver for .NET card GemAlto .NET v2+

    Microsoft native driver

    Virtual Smart Cards (TPM)
Before deploying smart cards:
  • Add the Citrix Receiver for Web URL to the Trusted Sites list for users who work with smart cards in Internet Explorer with Windows 10. In Windows 10, Internet Explorer does not run in protected mode by default for trusted sites.
  • Ensure that your public key infrastructure (PKI) is configured appropriately. This includes ensuring that certificate-to-account mapping is correctly configured for Active Directory environment and that user certificate validation can be performed successfully.
  • Configure components to use TLS 1.0 for smart card logon.
  • Ensure your deployment meets the system requirements of the other Citrix components used with smart cards, including Receiver and StoreFront.
  • Ensure access to the following servers in your Site:
    • The Active Directory domain controller for the user account that is associated with a login certificate on the smart card
    • Delivery Controller
    • Citrix StoreFront
    • Citrix NetScaler Gateway/Citrix Access Gateway 10.x
    • Virtual Delivery Agent
    • (Optional for remote access): Microsoft Exchange Server
  • You should be familiar with smart card technology in general and the technology you selected in particular, and the SDK. You should also know how to install and maintain certificates in distributed environments.

Enable smart card use

  1. Enable the product for smart card use.
    1. Issue smart cards to the users according to your card issuance policy.
    2. (Optional) Set up smart card to enable users for Remote PC Access.
    3. Install and configure the Delivery Controller and StoreFront (if not already installed for smart card remoting).
  2. Enable StoreFront for smart card use. For details, see Configure smart card authentication in the StoreFront documentation.
  3. Enable NetScaler Gateway/Access Gateway for smart card use. For details, see Configuring Authentication and Authorization and Configuring Smart Card Access with the Web Interface in the NetScaler documentation.
  4. Enable the Virtual Delivery Agent (VDA) for smart card use.
    1. Ensure the Virtual Delivery Agent has the required applications and updates.
    2. Install the middleware.
    3. Set up smart card remoting, enabling the communication of smart card data between Receiver on a user device and a virtual desktop session.
  5. Enable user devices (including domain-joined or non-domain-joined machines) for smart card use. See Configure smart card authentication in the StoreFront documentation for details.
    1. Import the certificate authority root certificate and the issuing certificate authority certificate into the device's keystore.
    2. Install your vendor's cryptographic middleware.
    3. Install and configure Receiver for Windows, being sure to import icaclient.adm using the Group Policy Management Console and enabling smart card authentication.
  6. Test the deployment. Ensure that the deployment is configured correctly by launching a virtual desktop with a test user's smart card. Test all possible access mechanisms (for example, accessing the desktop through Internet Explorer and Receiver).